Re: [SNI-14]: Solaris rpcbind vulnerability

Anthony C. Zboralski (anthony@sct.fr)
Thu, 05 Jun 1997 05:13:07 +0200

> On Solaris 2.x operating systems, rpcbind listens not only on TCP port
> 111, and UDP port 111, but also on a port greater than 32770. This results
> in a large number of packet filters, which intend to block access to
> rpcbind/portmapper, being ineffective. Instead of sending requests
> to TCP or UDP port 111, the attacker simply sends them to a UDP port
> greater than 32770 on which rpcbind is listening.

NOTE: Please don't send mail asking for strobe and lsof.
Pristine sources at:
ftp.suburbia:/pub/strobe*
vic.cc.purdue.edu:/pub/tools/unix/lsof (list open files)

Ok i checked from a remote location, a dear solaris 2.5.1 i have access
to and there isn't one but 6 ports being listened:

[root@turing]# strobe sol251.victim.org -P24 -b32700
strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net).
sol251.victim.org unknown 32772/tcp unassigned
sol251.victim.org unknown 32773/tcp unassigned
sol251.victim.org unknown 32774/tcp unassigned
sol251.victim.org unknown 32775/tcp unassigned
sol251.victim.org unknown 32785/tcp unassigned
sol251.victim.org unknown 32789/tcp unassigned

'twasn't what the Sun Security Bulletin said.. i actually found suspect
they didn't say which port was faulty.

let's look...

[root@turing]# ssh -l root sol251.victim.org
Enter passphrase for RSA key 'root@sol251':
root@sol251$ lsof -i | grep ^rpcbind
rpcbind 135 root 3u inet 0xf5953d68 0t0 UDP*:sunrpc
rpcbind 135 root 4u inet 0xf5953dd8 0t0 UDP*:0
rpcbind 135 root 5u inet 0xf5953c88 0t0 UDP*:32771
rpcbind 135 root 6u inet 0xf5953c18 0t0 TCP*:sunrpc
rpcbind 135 root 7u inet 0xf5953ba8 0t0 TCP*:53918

Ok it is 32771, now what are those 327xx ports for?

root@sol251$ lsof -i | grep 327..$
lsof -i|grep 327..$
rpcbind 135 root 5u inet 0xf5953c88 0t0 UDP*:32771
ypserv 157 root 5u inet 0xf5953208 0t0 TCP*:32772
rpc.nisd_ 159 root 0u inet 0xf5953518 0t0 UDP*:32779
ypbind 161 root 4u inet 0xf5953588 0t0
UDP*:32782
ypbind 161 root 6u inet 0xf5953668 0t0 UDP*:32783
ypbind 161 root 10u inet 0xf59536d8 0t0 TCP*:32773
ypxfrd 169 root 3u inet 0xf5ebef30 0t0 UDP*:32787
ypxfrd 169 root 4u inet 0xf5953048 0t0 TCP*:32774
kerbd 176 root 6u inet 0xf5ebec20 0t0 UDP*:32788
in.named 189 root 9u inet 0xf5ebe9f0 0t0 UDP*:32790
inetd 194 root 6u inet 0xf5ebe910 0t0 UDP*:32792
inetd 194 root 7u inet 0xf5ebe210 0t0 UDP*:32795
inetd 194 root 8u inet 0xf5ebe600 0t0 UDP*:32797
statd 197 root 3u inet 0xf5ebe830 0t0 UDP*:32793
statd 197 root 4u inet 0xf5ebe7c0 0t0 TCP*:32775
statd 197 root 9u inet 0xf5ebe1a0 0t0 UDP*:32798
dtlogin 305 root 6u inet 0xf5eff6c0 0t0 TCP*:32785
mountd 345 root 6u inet 0xf5eff260 0t0 TCP*:32789
dtlogin 1191 root 6u inet 0xf5eff6c0 0t0 TCP*:32785
fbconsole 1193 root 6u inet 0xf5eff6c0 0t0 TCP*:32785
Xsession. 5633 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785
Xsession. 5636 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785
ctwm 5637 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785
xbiff 5641 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785
xterm 5642 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785
xterm 12246 sam 6u inet 0xf5eff6c0 0t0 TCP*:32785

It looks sexy but i'll let someone else investigate 'cause i am not taking
any more solaris shit today.. it is 4:47 am.

--
Anthony C. Zboralski ACZ3 <frantic@sct.fr>
Immunis, 24, rue Vieille du Temple, 75004 Paris
Phone: +33 1 44 545 535, Fax: +33 1 42 775 649
KeyID 1024/ED8D8A39
Key fingerprint = C5 27 9A 0C 56 30 10 F9  9D 54 EE DB 2C 14 2A 78